bajatax Malware infecting

As one of my sites is being infected by this malware, I properly run WordPress free plugin Wordfence that runs all OK, but the malware still recreates files day after day since a week now. It also use the mail service to send spam, so I move back to the DNS servers and MX from my domain name provider.

WordPress plugins that can cause the infection may be WP File Manager and Duplicator.

The malware had created simlinks to different services, and it may have taken control over different services in the server. The fact is that now, the PDNS service is in fail state, CP firewall page is not loading correctly, MariaDB is started but shows 0 MB utilisation…

I would like to do something about it, so I am asking for advice and help, please…

ClamAV marked FOUND in home/vmail directory

Thanks for the advices.
ClamAV should realy be proposed with CyberPanel installation. Many servers may be infected.
I will clean php files, hoping attacks may be contained by Wordfence firewall.
But problems mentioned: “The fact is that now, the PDNS service is in fail state, CP firewall page is not loading correctly, MariaDB is started but shows 0 MB utilisation” persists after removing infections files. ClamAV found 3 of them in /home. It is scanning the whote /home at the moment.

Any idea?

I mean 2 viruses in vmail and 1 in http site

As viruses are removed, should any process associated be stopped? Should the server be restarted after ClaimAV had removed those files?